WordPress.Security.EscapeOutput.OutputNotEscaped

Output is not escaped

Dynamic data is printed to the page without an escaping function for the output context.

critical weight

Why It Shows Up

WordPress Coding Standards detected a variable, option, request value, or function result reaching HTML output without a nearby escaping call.

Why It Matters

Unescaped output can become cross-site scripting when attackers control any part of the value being printed.

How to Fix

  • Use `esc_html()` for plain text, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` or `wp_kses_post()` when limited HTML is intentionally allowed.
  • Escape as late as possible, right before output, so the selected escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3751Privilege Widget4013952600Text Domain Mismatch
#3752Product Video Gallery for Woocommerce40613610k+Setting is missing a sanitization callback
#3753PT Theme Addon4067211k+Output is not escaped
#3754Quick Child Theme Generator402274900Request data is not unslashed
#3755Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#3756Random Banner40591251k+Output is not escaped
#3757Recent & Featured Posts Widget401242600Output is not escaped
#3758Random Post Plugin – Redirect URL to Post4028743k+Nonce verification recommended
#3759Redirector4048327k+Output is not escaped
#3760Manual Related Posts4051321k+Output is not escaped
#3761Rename default post Labels405436600Text Domain Mismatch
#3762Responsive Plus – Elementor Templates & Starter Sites404630510k+Non-prefixed global variable
#3763Responsive Full Width Background Slider40131222k+Unsafe printing function
#3764Responsive Gallery Grid4090144k+Output is not escaped
#3765Responsive Sidebar404312700Output is not escaped
#3766Responsive Slider4028153k+Output is not escaped
#3767REST API Custom Fields404416800Text Domain Mismatch
#3768Risk Free Cash On Delivery (COD) – WooCommerce4010631400Text Domain Mismatch
#3769LazyLoad Plugin – Lazy Load Images, Videos, and Iframes403117100k+Output is not escaped
#3770Role Based Redirect4020962k+Non-prefixed global variable
#3771Salat Times4023520500Output is not escaped
#3772Sales Tax Reports For WooCommerce405065900Output is not escaped
#3773Same Category Posts4018383k+Output is not escaped
#3774Schedule Posts Calendar4074361k+Output is not escaped
#3775Search Live4013271600Output is not escaped
#3776Search with Typesense4081122700Non-prefixed global variable
#3777Secondary Title40117317k+Unsafe printing function
#3778Select All Categories and Taxonomies, Change Checkbox to Radio Buttons40116303k+Output is not escaped
#3779Select Post Export405118500Output is not escaped
#3780Sendy Widget404617700Output is not escaped
#3781Serviceform Pixel401822400Output is not escaped
#3782Multipage407228900Unsafe printing function
#3783Show Pages URL List40292341k+Non-prefixed global variable
#3784Contact Info Widget4018431k+Output is not escaped
#3785Simple Statistics for Feeds4064131800Nonce verification recommended
#3786AdFlow – Easy Google AdSense Integration4015093k+Unsafe printing function
#3787Simple Link List Widget4012982k+Output is not escaped
#3788Simple Page Sidebars40556510k+Output is not escaped
#3789Sinatra Core40101158k+Output is not escaped
#3790SportsPress for Cricket4012234500Text Domain Mismatch
#3791ST Demo Importer402775700Missing nonce verification
#3792Statify Widget4052134k+Output is not escaped
#3793Stax Addons for Elementor4014381500Output is not escaped
#3794CPS | Age Verification4012735900Unsafe printing function
#3795Developer Tools Blocker403547400strip tags strip tags
#3796Tagging403337500Output is not escaped
#3797Tealium407319600Unsafe printing function
#3798Theme Toolkit405314500Output is not escaped
#3799Theme and plugin translation for Polylang (TTfP)401026210k+Text Domain Mismatch
#3800Multiple Shipping Addresses for WooCommerce (Address Book)40212082k+Non-prefixed global variable